From: Will Deacon <will.deacon@arm.com>
To: Mark Rutland <mark.rutland@arm.com>
Cc: linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com,
Catalin Marinas <catalin.marinas@arm.com>,
Kees Cook <keescook@chromium.org>,
Laura Abbott <labbott@redhat.com>
Subject: Re: [RFC PATCH 1/2] arm64: write __range_ok() in C
Date: Thu, 16 Nov 2017 15:28:19 +0000 [thread overview]
Message-ID: <20171116152818.GM9361@arm.com> (raw)
In-Reply-To: <20171026090942.7041-2-mark.rutland@arm.com>
On Thu, Oct 26, 2017 at 10:09:41AM +0100, Mark Rutland wrote:
> Currently arm64's __range_ok() is written in assembly for efficiency.
>
> This hides the logic from the compiler, preventing the compiler from
> making some optimizations, such as re-ordering instructions or folding
> multiple calls to __range_ok().
>
> This patch uses GCC's __builtin_uaddl_overflow() to provide an
> equivalent, efficient check, while giving the compiler the visibility it
> needs to optimize the check. In testing with v4.14-rc5 using the Linaro
> 17.05 GCC 6.3.1 toolchain, this has no impact on the kernel Image size,
> (but results in a smaller vmlinux).
>
> Signed-off-by: Mark Rutland <mark.rutland@arm.com>
> Cc: Catalin Marinas <catalin.marinas@arm.com>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Laura Abbott <labbott@redhat.com>
> Cc: Will Deacon <will.deacon@arm.com>
> ---
> arch/arm64/include/asm/uaccess.h | 19 +++++++++++--------
> 1 file changed, 11 insertions(+), 8 deletions(-)
>
> diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h
> index fc0f9eb66039..36f84ec92b9d 100644
> --- a/arch/arm64/include/asm/uaccess.h
> +++ b/arch/arm64/include/asm/uaccess.h
> @@ -70,17 +70,20 @@ static inline void set_fs(mm_segment_t fs)
> *
> * This needs 65-bit arithmetic.
> */
> +static bool __range_ok_c(unsigned long addr, unsigned long size)
> +{
> + unsigned long result;
> +
> + if (__builtin_uaddl_overflow(addr, size, &result))
I'm not sure if you're planning to revisit this series, but thought I'd
give you a heads up that apparently GCC 4.x doesn't have support for this
builtin, so we'll need to carry the asm at least for that toolchain.
Will
WARNING: multiple messages have this Message-ID (diff)
From: will.deacon@arm.com (Will Deacon)
To: linux-arm-kernel@lists.infradead.org
Subject: [RFC PATCH 1/2] arm64: write __range_ok() in C
Date: Thu, 16 Nov 2017 15:28:19 +0000 [thread overview]
Message-ID: <20171116152818.GM9361@arm.com> (raw)
In-Reply-To: <20171026090942.7041-2-mark.rutland@arm.com>
On Thu, Oct 26, 2017 at 10:09:41AM +0100, Mark Rutland wrote:
> Currently arm64's __range_ok() is written in assembly for efficiency.
>
> This hides the logic from the compiler, preventing the compiler from
> making some optimizations, such as re-ordering instructions or folding
> multiple calls to __range_ok().
>
> This patch uses GCC's __builtin_uaddl_overflow() to provide an
> equivalent, efficient check, while giving the compiler the visibility it
> needs to optimize the check. In testing with v4.14-rc5 using the Linaro
> 17.05 GCC 6.3.1 toolchain, this has no impact on the kernel Image size,
> (but results in a smaller vmlinux).
>
> Signed-off-by: Mark Rutland <mark.rutland@arm.com>
> Cc: Catalin Marinas <catalin.marinas@arm.com>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Laura Abbott <labbott@redhat.com>
> Cc: Will Deacon <will.deacon@arm.com>
> ---
> arch/arm64/include/asm/uaccess.h | 19 +++++++++++--------
> 1 file changed, 11 insertions(+), 8 deletions(-)
>
> diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h
> index fc0f9eb66039..36f84ec92b9d 100644
> --- a/arch/arm64/include/asm/uaccess.h
> +++ b/arch/arm64/include/asm/uaccess.h
> @@ -70,17 +70,20 @@ static inline void set_fs(mm_segment_t fs)
> *
> * This needs 65-bit arithmetic.
> */
> +static bool __range_ok_c(unsigned long addr, unsigned long size)
> +{
> + unsigned long result;
> +
> + if (__builtin_uaddl_overflow(addr, size, &result))
I'm not sure if you're planning to revisit this series, but thought I'd
give you a heads up that apparently GCC 4.x doesn't have support for this
builtin, so we'll need to carry the asm at least for that toolchain.
Will
WARNING: multiple messages have this Message-ID (diff)
From: Will Deacon <will.deacon@arm.com>
To: Mark Rutland <mark.rutland@arm.com>
Cc: linux-arm-kernel@lists.infradead.org,
linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com,
Catalin Marinas <catalin.marinas@arm.com>,
Kees Cook <keescook@chromium.org>,
Laura Abbott <labbott@redhat.com>
Subject: [kernel-hardening] Re: [RFC PATCH 1/2] arm64: write __range_ok() in C
Date: Thu, 16 Nov 2017 15:28:19 +0000 [thread overview]
Message-ID: <20171116152818.GM9361@arm.com> (raw)
In-Reply-To: <20171026090942.7041-2-mark.rutland@arm.com>
On Thu, Oct 26, 2017 at 10:09:41AM +0100, Mark Rutland wrote:
> Currently arm64's __range_ok() is written in assembly for efficiency.
>
> This hides the logic from the compiler, preventing the compiler from
> making some optimizations, such as re-ordering instructions or folding
> multiple calls to __range_ok().
>
> This patch uses GCC's __builtin_uaddl_overflow() to provide an
> equivalent, efficient check, while giving the compiler the visibility it
> needs to optimize the check. In testing with v4.14-rc5 using the Linaro
> 17.05 GCC 6.3.1 toolchain, this has no impact on the kernel Image size,
> (but results in a smaller vmlinux).
>
> Signed-off-by: Mark Rutland <mark.rutland@arm.com>
> Cc: Catalin Marinas <catalin.marinas@arm.com>
> Cc: Kees Cook <keescook@chromium.org>
> Cc: Laura Abbott <labbott@redhat.com>
> Cc: Will Deacon <will.deacon@arm.com>
> ---
> arch/arm64/include/asm/uaccess.h | 19 +++++++++++--------
> 1 file changed, 11 insertions(+), 8 deletions(-)
>
> diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h
> index fc0f9eb66039..36f84ec92b9d 100644
> --- a/arch/arm64/include/asm/uaccess.h
> +++ b/arch/arm64/include/asm/uaccess.h
> @@ -70,17 +70,20 @@ static inline void set_fs(mm_segment_t fs)
> *
> * This needs 65-bit arithmetic.
> */
> +static bool __range_ok_c(unsigned long addr, unsigned long size)
> +{
> + unsigned long result;
> +
> + if (__builtin_uaddl_overflow(addr, size, &result))
I'm not sure if you're planning to revisit this series, but thought I'd
give you a heads up that apparently GCC 4.x doesn't have support for this
builtin, so we'll need to carry the asm at least for that toolchain.
Will
next prev parent reply other threads:[~2017-11-16 15:28 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-26 9:09 [RFC PATCH 0/2] arm64: optional paranoid __{get,put}_user checks Mark Rutland
2017-10-26 9:09 ` [kernel-hardening] " Mark Rutland
2017-10-26 9:09 ` Mark Rutland
2017-10-26 9:09 ` [RFC PATCH 1/2] arm64: write __range_ok() in C Mark Rutland
2017-10-26 9:09 ` [kernel-hardening] " Mark Rutland
2017-10-26 9:09 ` Mark Rutland
2017-11-16 15:28 ` Will Deacon [this message]
2017-11-16 15:28 ` [kernel-hardening] " Will Deacon
2017-11-16 15:28 ` Will Deacon
2017-11-20 12:22 ` Mark Rutland
2017-11-20 12:22 ` [kernel-hardening] " Mark Rutland
2017-11-20 12:22 ` Mark Rutland
2017-10-26 9:09 ` [RFC PATCH 2/2] arm64: allow paranoid __{get,put}user Mark Rutland
2017-10-26 9:09 ` [kernel-hardening] " Mark Rutland
2017-10-26 9:09 ` Mark Rutland
2017-10-27 15:41 ` [RFC PATCH 0/2] arm64: optional paranoid __{get,put}_user checks Will Deacon
2017-10-27 15:41 ` [kernel-hardening] " Will Deacon
2017-10-27 15:41 ` Will Deacon
2017-10-27 20:44 ` Mark Rutland
2017-10-27 20:44 ` [kernel-hardening] " Mark Rutland
2017-10-27 20:44 ` Mark Rutland
2017-10-28 8:47 ` Russell King - ARM Linux
2017-10-28 8:47 ` [kernel-hardening] " Russell King - ARM Linux
2017-10-28 8:47 ` Russell King - ARM Linux
2017-10-31 23:56 ` Laura Abbott
2017-10-31 23:56 ` [kernel-hardening] " Laura Abbott
2017-10-31 23:56 ` Laura Abbott
2017-11-01 12:05 ` Mark Rutland
2017-11-01 12:05 ` [kernel-hardening] " Mark Rutland
2017-11-01 12:05 ` Mark Rutland
2017-11-01 21:13 ` Laura Abbott
2017-11-01 21:13 ` [kernel-hardening] " Laura Abbott
2017-11-01 21:13 ` Laura Abbott
2017-11-01 22:28 ` Kees Cook
2017-11-01 22:28 ` [kernel-hardening] " Kees Cook
2017-11-01 22:28 ` Kees Cook
2017-11-01 23:05 ` Laura Abbott
2017-11-01 23:05 ` [kernel-hardening] " Laura Abbott
2017-11-01 23:05 ` Laura Abbott
2017-11-01 23:29 ` Kees Cook
2017-11-01 23:29 ` [kernel-hardening] " Kees Cook
2017-11-01 23:29 ` Kees Cook
2017-11-02 1:25 ` Laura Abbott
2017-11-02 1:25 ` [kernel-hardening] " Laura Abbott
2017-11-02 1:25 ` Laura Abbott
2017-11-03 23:04 ` [RFC PATCH 1/2] x86: Avoid multiple evaluations in __{get,put}_user_size Laura Abbott
2017-11-03 23:04 ` [kernel-hardening] " Laura Abbott
2017-11-03 23:04 ` [RFC PATCH 2/2] x86: Allow paranoid __{get,put}_user Laura Abbott
2017-11-03 23:04 ` [kernel-hardening] " Laura Abbott
2017-11-04 0:14 ` Kees Cook
2017-11-04 0:14 ` [kernel-hardening] " Kees Cook
2017-11-04 0:24 ` Al Viro
2017-11-04 0:24 ` [kernel-hardening] " Al Viro
2017-11-04 0:44 ` Al Viro
2017-11-04 0:44 ` [kernel-hardening] " Al Viro
2017-11-04 1:39 ` Kees Cook
2017-11-04 1:39 ` [kernel-hardening] " Kees Cook
2017-11-04 1:41 ` Kees Cook
2017-11-04 1:41 ` [kernel-hardening] " Kees Cook
2017-11-04 1:58 ` Mark Rutland
2017-11-04 1:58 ` [kernel-hardening] " Mark Rutland
2017-11-06 20:38 ` Laura Abbott
2017-11-06 20:38 ` [kernel-hardening] " Laura Abbott
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171116152818.GM9361@arm.com \
--to=will.deacon@arm.com \
--cc=catalin.marinas@arm.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=labbott@redhat.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.